Recently, I created two new HIPAA training resources.
I created a 1-page visual summary of HIPAA, which I call the HIPAA Whiteboard. The idea was to summarize HIPAA in a concise and visually-engaging way. You can download a PDF handout version here. We’ve been licensing it to many organizations for training and awareness purposes.
HIPAA Interactive Whiteboard
I subsequently created a new training module — an interactive version of the HIPAA Whiteboard — the HIPAA Interactive Whiteboard. When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way. Trainees can learn at their own pace. This program is designed to be very short — it is about 5 minutes long.
It can readily be used on internal websites to raise awareness and teach basic information about HIPAA. It can also be used in learning management systems.
This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement to settle HIPAA violations with Filefax, located in Northbrook, Illinois. One aspect was different than their usual settlement process in that Filefax closed the business down during the OCR investigation and was no longer operating when the settlement was reached. OCR announced that Filefax could not avoid their obligations under HIPAA even though they were no longer running the company. The receiver that is liquidating the company’s assets agreed to pay $100,000 to settle the potential HIPAA violations made by the company while open.
Their HIPAA violations stemmed from an anonymous complaint stating that the medical records of approximately 2,150 patients, which contained protected health information (PHI), received by Filefax had been taken to a shredding/recycling facility and sold. The OCR investigation found over a period of several weeks the PHI had been left unsecured outside Filefox and had been removed from the facility by an unauthorized person.
The press release can be viewed here. The Resolution Agreement can be viewed here.
Also of Interest
HIPAA Enforcement Guide
HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement
Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe
Lessons from 2016, the Biggest HIPAA Enforcement Year on Record
Is HIPAA Enforcement Too Lax?
At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties. In 2016, the total in penalties was roughly the same amount but from 15 organizations.
Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2017:
Lessons from 2017
Devices, devices, devices . . .
Quite a number of cases involved failure to implement safeguards for PHI on mobile devices. The best fix is to superglue devices to staff. Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.
Several cases involved failing to provide timely notice or to act promptly after problems were discovered. In politics, it’s often not the scandal, but the coverup that fells politicians. In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.
Recently, HIPAA enforcement over data breaches is increasing – a lot. This year has seen some of the largest monetary penalties. Why is this happening?
I had the chance to interview Katherine Keefe, who leads the Beazley Breach Response (BBR) Services Group. I am particularly interested in the insurer’s perspective, so I interviewed Katherine.
The first quarter of 2017 is not yet over and the OCR has already released details of four enforcement penalties totaling over $11 million. 2016 set a record with $20 million in fines for the year, with $5.2 million of that coming in the first quarter. In just the first 2 months of 2017, the fines have been more than half what the entire amount for 2016 was. Here are details about enforcement actions in 2017 thus far:
- Illinois health care network, Presence Health, was fined $475,000 for failing to notify patients of a breach within the 60-day period. The incident took place over 3 years ago. In October 2013, operating room schedules that were written on paper and contained PHI of 836 individuals went missing. Patients were not notified of the breach until February of 2014. This represents the first enforcement related to the timeliness of breach notification.
- An insurance company, MAPFRE, was fined $2.2 million for failure to safeguard portable devices and poor risk assessment and risk management. OCR found that MAPFRE did not have an adequate security awareness training program in place for their workforce. In 2011, an unsecured USB device containing the ePHI of 2,209 individuals was stolen from the company’s IT department. Despite the corrective measures MAPFRE indicated it would take, it did not actually start securing portable devices until 3 years after the incident.
- Children’s Medical Center of Dallas received a $3.2 million fine for multiple incidents where devices with unsecured ePHI were stolen. In 2010 an unencrypted Blackberry was stolen with the ePHI of 3,800 individuals. In 2013, an unencrypted laptop was stolen with ePHI of 2,463 individuals. The OCR investigation discovered that the hospital did not begin to secure and safeguard workstations and portable devices until 2013 despite being aware of the risks for many years.
- Florida corporation, Memorial Healthcare System, agreed to pay a fine of $5.5 million. This ties Advocate Health Care Network’s fine in August of 2016 for the record of highest penalty. In this incident, the PHI of 115,143 patients was improperly accessed and disclosed. Memorial Healthcare failed to terminate a former employee’s log-in credentials which was then used to access 80,000 records with PHI over the course of an entire year. The company also neglected to review the activity within the system that would have identified that the records were being improperly accessed. Memorial discovered the breach while investigating two employees who were stealing patient information to file fake tax returns.
Not too long ago, I posted an overview of OCR’s enforcement in 2016. OCR continues to be active in its enforcement, at its highest level to date. This is a great opportunity for privacy and security officials to point out to upper management the need for greater resources and attention to HIPAA compliance.
Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement. 2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties. At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.
The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.
Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:
This cartoon is about snooping, one of the most common HIPAA violations. HIPAA prohibits accessing information that people don’t need to do their jobs. It can be easy to look at electronic medical records, and people who snoop in this way might not perceive it as wrong. But the cartoon invites people to imagine how creepy the snooping would appear if it were occurring right in front of patients. Computers remove the interpersonal dynamic, making it harder for people to fully appreciate the wrongfulness of their conduct.
Though the high-profile, celebrity snooping incidents garner all the media attention, smaller cases affecting everyday individuals make up the bulk of the cases and legal activity. A large number of inappropriate access claims involve people checking on protected health information (PHI) about family and friends. Snooping is not intended maliciously. Often a concerned staff member will access the patient records of a family member or acquaintance out of worry or concern. In one case, a nurse in New York was fired for disclosing a patient’s medical history to warn a family member who was romantically involved with the patient of the patient’s STD.
This cartoon depicts the way many people perceive HIPAA training. But it doesn’t have to be this way. When most people hear HIPAA training they prepare themselves to slog through a boring lecture filled with tedious legalese. Many have been subjected to hours of training that is overly technical, not useful for their jobs and not even close to being memorable. I designed my HIPAA training to be different. I believe that training should be fun and engaging. It should have personality. I avoid the wordy and needless filler material and focus on the key concrete things that people must know and do.
Here’s a cartoon on HIPAA and social media use to jump start your week. You can’t think enough about HIPAA these days. HIPAA audits are back, and OCR is having a vigorous enforcement year this year, something I plan to post about soon.
HIPAA is famously impenetrable, with so many special terms and definitions. I wrote this cartoon to capture the wonderful world of HIPAA jargon, which I hope fellow lovers of HIPAA can appreciate.
For those who want an introduction to HIPAA and how the Privacy Rule and the Security Rule work, I produced a series of courses on HIPAA for the American Health Information Management Association (AHIMA). Each course is approximately 1 hour long. The courses are:
• HIPAA Privacy: The Pillars of a Privacy Program
• HIPAA Privacy: Rights and Responsibilities
• HIPAA Security: Safeguarding PHI
They are available through AHIMA, but you can preview them on my site here.
These AHIMA HIPAA courses are not for the entire workforce — the courses are for personnel who focus on HIPAA compliance and need to understand the basics of how HIPAA works. My HIPAA training for the workforce is shorter as well as more basic and general.
I have another HIPAA cartoon here.